Allow filtering the IP addresses that RawDNS returns for a given container

[michaeljbailey]

I have some containers that have a frontend and backend network defined. Currently, if I perform a name resolution on those containers I am receiving both addresses.

We should consider a config.json option that excludes specifically labeled OR named networks from being advertised over DNS.

For arguments sake, we'll consider the containers db, redis, and app as created by the following docker-compose file:

networks:
  frontend
  backend:
    internal: true

services:
  db:
    image: mariadb
    networks:
      - backend
  redis:
    image: redis
    networks:
     - backend
  app:
    image: my_custom_app
    networks:
      - backend
      - frontend
    depends_on:
      - db
      - redis

If we dig <rawdns_container> app.tld then I should only receive the frontend IP address.

We can achieve this through some configuration option like:

{
	"docker.lab.local." {
		"type": "containers",
		"exclude": {
			"labels": [ "DO_NOT_RESOLVE" ]
			"names": [ "backend" ]
		}
		"socket": "unix:////var/run/docker.sock"
	},
	"lab.local.": {
		"type": "forwarding",
		"nameservers": [ "192.168.1.250" ]
	}
	".": {
			"type": "forwarding",
			"nameservers": [ "208.67.220.220" ]
	}
}

The way you would read this is:

1. Resolve *.docker.label.local via the Docker API
2. If a container has a network labeled DO_NOT_RESOLVE, then don't return IPs with that network
3. If a container has a network named backend, then don't return IPs associated with that network

So if I try a dig <rawdns_container> app.tld then I would only receive the frontend IP.

[tianon]

Interesting idea!

Right now, we only inspect containers, and doing something based on network labels would require us to perform an additional Docker API request for each attached network of the requested container, which I'm not a big fan of.

Also, the more I use the JSON configuration file, the less I like it, and I definitely don't think we want to add more bespoke one-off configuration items, so I'm wondering if maybe we could do something more "generic" with text/template to allow for a more generic mini-expression like {{ if (eq .Name "backend") }}true{{ end }} so that users can build up some of their own logic (maybe with helper functions defined for things like CIDR comparisons?).

Also, I went to a talk about CoreDNS back at KubeCon last November, and it's flexible enough that I've considered whether rawdns actually makes sense to continue doing things with, given that I think it could be implemented much more flexibly using CoreDNS (although with the caveat that I haven't actually tried writing anything with/for it yet). I mean, if it's working for the complex needs of Kubernetes itself, maybe it isn't worth maintaining my own DNS server anymore? 😅